Why Does ‘mysql’ User Has /bin/bash Shell?

Home » CentOS » Why Does ‘mysql’ User Has /bin/bash Shell?
CentOS 9 Comments

Hello,

Default MySQL installation on CentOS sets /bin/bash as shell. I’m on a user cleanup task where I want reduce unneeded privileges to users.

What is the “mysql” user shell for? (What will happen if I change it to
/bin/false or whatever would disable it’s shell?)

It’s not only a matter of SSH (I’m aware I can AllowUsers in sshd_config for example).

9 thoughts on - Why Does ‘mysql’ User Has /bin/bash Shell?

  • From: Mihamina Rakotomandimby

    Its password should be locked. So you cannot login as mysql but you can “su – mysql” or run scripts as mysql. I do not know if any of the “standard” tools needs a shell though.

    JD

  • Can you not set up a test system and try it out? Or, if this is your only system, could you not back it up, and test your suggestions out?

    The mysql “shell” is for viewing data in your databases and manipulating the data in required. You can also add tables and things like that. It is a powerful tool if you know what you are doing.

    Cheers,

    Cliff

    On Thu, Jan 9, 2014 at 10:27 PM, Mihamina Rakotomandimby

  • I dont have enough unit test in mind to assume it’s safe.

    I might confuse you. I’m not talking about the “mysql>” prompt. I know what it is for. I’m talking about:
    # grep mysql /etc/passwd mysql:x:498:498:MySQL server:/var/lib/mysql:/bin/bash
    ^^^^^^^^^
    this -|

  • Mihamina Rakotomandimby said the following on 09/01/2014 10:27:

    I checked in my CentOS 6 installations.

    Only one (the latest) has this issue, so it could be something added/modified in the lastest months.

    Other installations starting from June 2013 (included) does NOT have this issue and the shell of mysql user is /sbin/nologin

    Ciao, luigi

  • I just tested here on an EL6 VM that didn’t have mysql-server on it before:

    # grep mysql /etc/shadow
    mysql:!!:16079::::::

    I tried to investigate further by taking a look at the mysql-server spec file, but apparently CentOS doesn’t ship with a source repo configured:

    $ yumdownloader –source mysql-server
    ….noise noise noise….
    No source RPM found for mysql-server-5.1.71-1.el6.i686

    I looked in CentOS-Base.repo, and don’t see one I can enable.

    Also, connections to vault.CentOS.org are timing out right now, so I
    can’t build a .repo file entry by hand.

    So, lacking real information, I will make a wild guess as to why this happened: someone got lazy modifying an adduser/useradd command in the mysql.spec file.

  • You’ve misunderstood the point of that test. It is proof that John Doe’s guess is right: the mysql user’s account is locked (!!). This means that only way you can “log in as mysql” and thus make use of the
    /bin/bash setting is to first be root, then “su – mysql”. You can’t su to mysql from a non-root account since that would require a password.

    That’s why I guess this is a symptom of a wooly-headed change to the spec file, rather than some nefarious security breach.

    By the way, vault.CentOS.org is back. Here’s what we find in the spec file:

    /usr/sbin/useradd -M -N -g mysql -o -r -d /var/lib/mysql -s /bin/bash \
    -c “MySQL Server” -u 27 mysql >/dev/null 2>&1 || :

  • I don’t think there is a good reason. Someone made a mistake. File a bug report upstream.

    I’ve now downloaded and examined the .src.rpm for every 6.x point release plus that for 5.10, and they all do this.

    On skimming the changelog section of the spec file, I can’t see an entry that explains why this was done. However, I might have more success if I knew the first version where this changed — if indeed it ever did behave differently — but I haven’t found that version yet.

    I don’t think I’m going to spend any more time looking, though, since
    6.0 takes me back 3 years. This behavior has been in there for quite a long time.

  • I don’t see how that can be. I’ve checked the spec file in the mysql.src.rpm for every 6.x point release from 6.0 through 6.5, and they
    *all* have this command:

    /usr/sbin/useradd -M -o -r -d /var/lib/mysql -s /bin/bash \
    -c “MySQL Server” -u 27 mysql > /dev/null 2>&1 || :

    Actually, later versions add “-N -g mysql” to this, which as far as I
    can tell is basically pointless. It tells useradd to do exactly what it would have done by default anyway. It should have no bearing on this issue.

    I have one from March 2013, and it *does* have /bin/bash as user mysql’s shell.

  • Warren Young said the following on 10/01/2014 21:41:

    The June 2013 installation with /sbin/nologin COULD have been installed with a old DVD (say CentOS 6.2) and updated via Internet (I really don’t remember). It’s my home server, I rebuilt it last summer.

    The latest with /bin/bash is a CentOS VM hostd at http://www.cloudatcost.com

    Nearly on the same period I created a VM at Hetzner.de, and it has /sbin/nologin

    The funy thing is that both cloudatcost.com and hetzner.de are two VMs provided with the “Minimal” installation and I installed mysql-server package from the repositories. I am not sure if I chsh-ed the mysql account

    Anyway, why assign an interactive shell to mysql???

    Ciao, luigi